Submit #717319: WebAssembly binaryen e7706b3 Memory Corruptioninfo

TitleWebAssembly binaryen e7706b3 Memory Corruption
DescriptionThis submission is a duplicate of submission 717317. The difference is that a fix link was added and this one requests a CVE for the vulnerability. Please ignore submission 717317. ### Description We encountered a Segmentation Fault (SEGV) in wasm-opt. The crash occurs in wasm::Function::getLocalType when processing a malformed WebAssembly binary. The AddressSanitizer (ASan) report indicates a SEGV on unknown address 0x0000000003e8, which points to the zero page. This strongly suggests a Null Pointer Dereference, likely caused by accessing a member variable from a null object pointer during the local type resolution. Crucially, this crash was reproduced in a Release build with assertions explicitly disabled. This indicates that the necessary validity checks are missing or optimized out in production builds, leading to a hard crash (Denial of Service). Vendor confirmed and fixed this vulnerability in commit 94bd5d8. ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release mode with ASan enabled, Assertions DISABLED - Build Commands: ``` cmake .. \ -DCMAKE_BUILD_TYPE=Release \ -DBYN_ENABLE_ASSERTIONS=OFF \ -DENABLE_WERROR=OFF \ -DBUILD_TESTS=OFF AFL_USE_ASAN=1 make -j$(nproc) ``` ### Vulnerability Details - Target: wasm-opt - Crash Type: Segmentation Fault (SEGV on unknown address) - Faulting Instruction: READ memory access - Location: wasm::Function::getLocalType (wasm.cpp:1655) - Caller: wasm::IRBuilder::makeLocalGet - Root Cause Analysis: The crash happens when IRBuilder attempts to get the type of a local variable. The hint address points to the zero page (address 0x3e8) typically implies that the base pointer is NULL, and the code attempts to read a member at offset 0x3e8. ### Reproduce ``` ./wasm-opt repro -o /dev/null ``` Download Link: [repro](https://github.com/oneafter/1204/blob/main/af1) ASAN report ``` ==9943==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000003e8 (pc 0x7f063ecbb23b bp 0x7ffe1217d230 sp 0x7ffe1217d1c0 T0) ==9943==The signal is caused by a READ memory access. ==9943==Hint: address points to the zero page. #0 0x7f063ecbb23b in wasm::Function::getLocalType(unsigned int) /src/repro/branch/binaryen/src/wasm/wasm.cpp:1655:12 #1 0x7f063ed8eb74 in wasm::IRBuilder::makeLocalGet(unsigned int) /src/repro/branch/binaryen/src/wasm/wasm-ir-builder.cpp:1415:42 #2 0x7f063ed34139 in wasm::WasmBinaryReader::readInst() /src/repro/branch/binaryen/src/wasm/wasm-binary.cpp:3238:22 #3 0x7f063ed1cc5e in wasm::WasmBinaryReader::readFunctions() /src/repro/branch/binaryen/src/wasm/wasm-binary.cpp:3158:23 #4 0x7f063ed11fb0 in wasm::WasmBinaryReader::read() /src/repro/branch/binaryen/src/wasm/wasm-binary.cpp:2107:9 #5 0x7f063ed6d794 in wasm::ModuleReader::readBinaryData(std::vector<char, std::allocator<char>>&, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>) /src/repro/branch/binaryen/src/wasm/wasm-io.cpp:67:10 #6 0x7f063ed6db87 in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>) /src/repro/branch/binaryen/src/wasm/wasm-io.cpp:78:3 #7 0x7f063ed6e8e0 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>) /src/repro/branch/binaryen/src/wasm/wasm-io.cpp:101:5 #8 0x56164abfb3bd in main /src/repro/branch/binaryen/src/tools/wasm-opt.cpp:319:14 #9 0x7f063cdfb1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #10 0x7f063cdfb28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #11 0x56164a960064 in _start (/src/repro/branch/binaryen/build/bin/wasm-opt+0x6c064) (BuildId: 99578869f5767b9991ec001497068a2e7edc2c26) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /src/repro/branch/binaryen/src/wasm/wasm.cpp:1655:12 in wasm::Function::getLocalType(unsigned int) ==9943==ABORTING ```
Source⚠️ Exploit: https://github.com/WebAssembly/binaryen/issues/8090 | Fix: https://github.com/WebAssembly/binaryen/pull/8099
User
 Oneafter (UID 92781)
Submission12/17/2025 03:22 AM (3 months ago)
Moderation12/19/2025 09:53 AM (2 days later)
StatusDuplicate
VulDB entry337593 [WebAssembly Binaryen up to 125 IRBuilder wasm-ir-builder.cpp makeLocalTee Index null pointer dereference]
Points0

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!